Slashdot

U.S. exchanges' four-character limit for ETF tickers is creating fierce competition in the $10 trillion industry, particularly for single-stock funds. With 456,976 possible combinations, options narrow drastically when built around existing company tickers. MicroStrategy-inspired ETFs, for instance, leave issuers with just 52 choices using 'MST'. Memorable tickers are crucial for differentiation and can improve stock liquidity.

Read more of this story at Slashdot.

U.S. public utility giant American Water says it has disconnected some of its systems after discovering that hackers breached its internal networks last week. From a report: American Water, which supplies drinking water and wastewater services to more than 14 million people across the United States, confirmed the security incident in an 8-K regulatory filing with the U.S. Securities and Exchange Commission on Monday. The New Jersey-based company said in its filing that its water and wastewater facilities are "at this time" not affected and continue to operate without interruption, though the company noted that it's currently "unable to predict the full impact of this incident." American Water said it also notified law enforcement of the intrusion. The company said it discovered "unauthorized activity" within its networks on October 3 and promptly moved to disconnect affected systems. In a statement on its website, American Water said it is "pausing billing until further notice." "In an effort to protect our customers' data and to prevent any further harm to our environment, we disconnected or deactivated certain systems," Ruben E. Rodriguez, a spokesperson for American Water, told TechCrunch in a statement. "There will be no late charges for customers while these systems are unavailable." Rodriguez declined to state which systems were unavailable and also declined to comment on the nature of the cybersecurity incident.

Read more of this story at Slashdot.

doc1623 writes: Advocacy groups behind a so-called suicide capsule said Sunday they have suspended the process of taking applications to use it -- which numbered over 370 last month -- as a criminal investigation into its first use in Switzerland is completed. The president of Switzerland-based The Last Resort, Florian Willet, is being held in pretrial detention, said the group and Exit International, an affiliate founded in Australia over a quarter century ago. Swiss police arrested Willet and several other people following the death of an unidentified 64-year-old woman from the U.S. Midwest who on Sept. 23 became the first person to use the device, known as the "Sarco," in a forest in the northern Schaffhausen region near the German border. Others initially detained were released from custody, authorities have said.

Read more of this story at Slashdot.

Amazon will likely eliminate around 14,000 corporate jobs by early next year as part of ongoing efforts to reduce costs, according to a note Morgan Stanley sent to clients that Slashdot has reviewed. Brian Nowak of Morgan Stanley estimated Amazon could cut approximately 13,800 manager positions by the end of the first quarter of 2025, based on the company's stated goal of increasing the ratio of individual contributors to managers by at least 15%. "AMZN management's recent letter laying out an increased focus on efficiency should lead to further EBIT cushion and (potential) upside in '25," Nowak wrote. The potential headcount reduction could result in $2.1 billion to $3.6 billion in annual cost savings for Amazon, adding 3% to 5% to the company's 2025 operating profit, according to Nowak's analysis. Amazon has already cut over 27,000 jobs since late 2022 as part of a major cost-cutting push. The company employed 1.54 million people globally as of the end of June.

Read more of this story at Slashdot.

Google's grip on the nearly $300 billion search advertising business is loosening. From a report: For years, the tech giant has seemed invincible in this corner of the ad market, which is the foundation of its business. Now, rivals are beginning to eat into its lead, and new offerings -- fueled by the rise of artificial intelligence and social video -- threaten to reshape the landscape. TikTok, the wildly popular short-form video platform, has recently started allowing brands to target ads based on users' search queries -- a direct challenge to Google's core business. Perplexity, an AI search startup backed by Jeff Bezos, plans to introduce ads later this month under its AI-generated answers. Until now, it has made revenue mostly from a $20-a-month subscription offering that grants access to more-powerful AI technology. The new initiatives add to the pressure on Google from the rise of Amazon.com, which has taken a chunk of search ad spending. Many consumers begin product searches on the e-commerce platform. Google's share of the U.S. search ad market is expected to drop below 50% next year for the first time in over a decade, according to the research firm eMarketer. Amazon is expected to have 22.3% of the market this year, with 17.6% growth, compared with Google's 50.5% share and its 7.6% growth.

Read more of this story at Slashdot.

An anonymous Slashdot reader shared the EFF's "Deeplink" blog post: EFF, along with the ACLU and the ACLU of Mississippi, filed an amicus brief on Thursday asking a federal appellate court to continue to block Mississippi's HB 1126 — a bill that imposes age verification mandates on social media services across the internet. Our friend-of-the-court brief, filed in the U.S. Court of Appeals for the Fifth Circuit, argues that HB 1126 is "an extraordinary censorship law that violates all internet users' First Amendment rights to speak and to access protected speech" online. HB 1126 forces social media sites to verify the age of every user and requires minors to get explicit parental consent before accessing online spaces. It also pressures them to monitor and censor content on broad, vaguely defined topics — many of which involve constitutionally protected speech. These sweeping provisions create significant barriers to the free and open internet and "force adults and minors alike to sacrifice anonymity, privacy, and security to engage in protected online expression." A federal district court already prevented HB 1126 from going into effect, ruling that it likely violated the First Amendment. At the heart of our opposition to HB 1126 is its dangerous impact on young people's free expression. Minors enjoy the same First Amendment right as adults to access and engage in protected speech online. "No legal authority permits lawmakers to burden adults' access to political, religious, educational, and artistic speech with restrictive age-verification regimes out of a concern for what minors might see" [argues the brief]. "Nor is there any legal authority that permits lawmakers to block minors categorically from engaging in protected expression on general purpose internet sites like those regulated by HB 1126..." "The law requires all users to verify their age before accessing social media, which could entirely block access for the millions of U.S. adults who lack government-issued ID..." And it also asks another question. "Would you want everything you do online to be linked to your government-issued ID?" And the blog post makes one more argument. "in an era where data breaches and identity theft are alarmingly common." So the bill "puts every user's personal data at risk... No one — neither minors nor adults — should have to sacrifice their privacy or anonymity in order to exercise their free speech rights online."

Read more of this story at Slashdot.

An anonymous reader shared this post from the blog It's FOSS It has been more than two years since K-9 Mail (an open-source email client for Android) joined the Mozilla Thunderbird project. Instead of making a new mobile app from scratch, Mozilla decided to convert K-9 Mail slowly into the new Thunderbird Android app. While we have known about it for some time now, we finally have something to test: Thunderbird for Android (Beta). Mozilla is looking for users to test it and plans a stable release at the end of October. The new Thunderbird app is now available on the Play Store as a beta version for user testing. So, we are closer to the stable launch than ever before. The article includes a few screenshots of the app... "For the functionality side, you can expect things like light/dark theme, email signature, unified inbox, ability to enable/disable contact pictures, threaded view, and opt out of data usage collection for privacy..."

Read more of this story at Slashdot.

800,000 tons of rock have been excavated from a South Dakota research facility — part of a multi-year process "to help answer some of physics' biggest questions," writes America's Energy Department. "The caverns they excavated will hold a massive particle detector and accompanying equipment." Along with partners from more than 35 countries, the Department of Energy's Office of Science is supporting the Deep Underground Neutrino Experiment at the Long-Baseline Neutrino Facility (LBNF-DUNE)... To study how neutrinos change type as they travel, LBNF-DUNE will be sending a stream of neutrinos from DOE's Fermilab National Accelerator Laboratory in Illinois [nearly 600 miles away] to South Dakota. At the beginning and end of the particles' journey, detectors will measure the types of neutrinos and antineutrinos. By comparing the rates of how both particles change type, scientists may find a difference that accounts for that ancient misalignment. There's also hope they'll detect neutrinos from supernovae explosions — and maybe even decaying protons LBNF-DUNE will use massive, seven-story tall detectors. Each detector will have 17,000 tons of liquid argon. That vast quantity of liquid maximizes the likelihood that scientists will detect as many neutrinos as possible. The far detector — the one in South Dakota — will be located about a mile underground. That distance places it in the right location compared to Fermilab and blocks the detector from other cosmic particles. "Just carrying out the excavation took three years," the announcement notes. ("The team had to dissemble the equipment, move it deep underground, and then reassemble it.) The 800,000 tons of rock were moved to the surface and then stored in a former mine. "Now that the excavation is complete, the LBNF-DUNE team is moving on to the next steps. Currently, they are installing the far detector in the Sanford Underground Research Facility. They anticipate finishing construction and starting to operate the detector in 2028. The team will then move on to installing the near detector at Fermilab. "The launch of LBNF/DUNE will be the beginning of a new era in understanding neutrinos and knowing more about our universe as a whole."

Read more of this story at Slashdot.

Long-time Slashdot reader Bismillah writes: Python New Zealand has gone through some rough times lately, with its then-treasurer stealing money from the society.. Things were looking really serious for a while, with Python NZ looking at being liquidated due to the theft of funds. However, there is a silver lining to the story, as the free and open source movement rallied behind Python NZ and got them out of a serious pickle. "Our friends at Linux Australia and at the Python Software Foundation went well above and beyond to support us, and save us," says Tom Eastman president of Python New Zealand, in an article from interest.co.nz. He also says he hopes the treasure is ordered by the court to pay restitution. (In the article the treasurer confirms that he's pleaded guilty to the theft, which took place between February 2019 and October 2023 — leaving Python NZ owing conference supplies around $55,000.) "We had $26 in the bank accounts," Eastman tells the site. The group now has new transparency and accountability measures...

Read more of this story at Slashdot.

Long-time Slashdot reader schwit1 shared this report from Australia's public broadcaster ABC: Ecovacs robot vacuums, which have been found to suffer from critical cybersecurity flaws, are collecting photos, videos and voice recordings — taken inside customers' houses — to train the company's AI models. The Chinese home robotics company, which sells a range of popular Deebot models in Australia, said its users are "willingly participating" in a product improvement program. When users opt into this program through the Ecovacs smartphone app, they are not told what data will be collected, only that it will "help us strengthen the improvement of product functions and attached quality". Users are instructed to click "above" to read the specifics, however there is no link available on that page. Ecovacs's privacy policy — available elsewhere in the app — allows for blanket collection of user data for research purposes, including: - The 2D or 3D map of the user's house generated by the device - Voice recordings from the device's microphone — Photos or videos recorded by the device's camera "It also states that voice recordings, videos and photos that are deleted via the app may continue to be held and used by Ecovacs..."

Read more of this story at Slashdot.

An anonymous reader shared this report from the Washington Post: Hundreds of Americans have been arrested after being connected to a crime by facial recognition software, a Washington Post investigation has found, but many never know it because police seldom disclose their use of the controversial technology... In fact, the records show that officers often obscured their reliance on the software in public-facing reports, saying that they identified suspects "through investigative means" or that a human source such as a witness or police officer made the initial identification... The Coral Springs Police Department in South Florida instructs officers not to reveal the use of facial recognition in written reports, according to operations deputy chief Ryan Gallagher. He said investigative techniques are exempt from Florida's public disclosure laws... The department would disclose the source of the investigative lead if it were asked in a criminal proceeding, Gallagher added.... Prosecutors are required to inform defendants about any information that would help prove their innocence, reduce their sentence or hurt the credibility of a witness testifying against them. When prosecutors fail to disclose such information — known as a "Brady violation" after the 1963 Supreme Court ruling that mandates it — the court can declare a mistrial, overturn a conviction or even sanction the prosecutor. No federal laws regulate facial recognition and courts do not agree whether AI identifications are subject to Brady rules. Some states and cities have begun mandating greater transparency around the technology, but even in these locations, the technology is either not being used that often or it's not being disclosed, according to interviews and public records requests... Over the past four years, the Miami Police Department ran 2,500 facial recognition searches in investigations that led to at least 186 arrests and more than 50 convictions. Among the arrestees, just 1 in 16 were told about the technology's use — less than 7 percent — according to a review by The Post of public reports and interviews with some arrestees and their lawyers. The police department said that in some of those cases the technology was used for purposes other than identification, such as finding a suspect's social media feeds, but did not indicate in how many of the cases that happened. Carlos J. Martinez, the county's chief public defender, said he had no idea how many of his Miami clients were identified with facial recognition until The Post presented him with a list. "One of the basic tenets of our justice system is due process, is knowing what evidence there is against you and being able to challenge the evidence that's against you," Martinez said. "When that's kept from you, that is an all-powerful government that can trample all over us." After reviewing The Post's findings, Miami police and local prosecutors announced plans to revise their policies to require clearer disclosure in every case involving facial recognition. The article points out that Miami's Assistant Police Chief actually told a congressional panel on law enforcement AI use that his department is "the first to be completely transparent about" the use of facial recognition. (When confronted with the Washington Post's findings, he "acknowledged that officers may not have always informed local prosecutors [and] said the department would give prosecutors all information on the use of facial recognition, in past and future cases". He told the Post that the department would "begin training officers to always disclose the use of facial recognition in incident reports." But he also said they would "leave it up to prosecutors to decide what to disclose to defendants."

Read more of this story at Slashdot.

Amazon launched "cashierless checkout" stores In 2018, reports CNBC — but by 2020 it was licensing the "Just Walk Out" technology to other stores in airports, hospitals, and stadiums. In April, Amazon announced it was removing cashierless checkout from its U.S. Fresh stores and Whole Foods locations... In place of Just Walk Out, which typically requires ceiling-mounted cameras, shelf sensors and gated entry points, Amazon Fresh stores and Whole Foods supermarkets will feature Dash Carts. The carts track and tally up items as shoppers place them in bags, enabling people to skip the checkout line. Amazon continues to use Just Walk Out in its grab-and-go marts and UK Fresh stores... While it's no longer featuring Just Walk Out as prominently in its own stores, Amazon says it has inked deals with a growing list of customers. More than 200 third-party stores have paid Amazon to install the cashierless system. The company expects to double the number of third-party Just Walk Out stores this year, Jon Jenkins, who previously served as vice president of Amazon's Just Walk Out technology, said in a recent interview... Amazon's "primary focus" is selling the technology to third-party businesses and deploying it in small to medium-sized store formats, where the system "tends to generate a little better [return on investment]," Jenkins said... At one Just Walk Out store, inside Seattle's Lumen Field, home to the NFL's Seahawks, the company said it boosted sales by 112% last season, with 85% more transactions during the course of a game. Two interesting points from the article: "Earlier this year, Amazon also began selling its connected grocery carts to third parties." "With Just Walk Out, Amazon faces the challenge of convincing retailers that they can trust one of their biggest competitors with handling valuable shopper data..."

Read more of this story at Slashdot.

"Pine64 has confirmed that its open-source e-ink tablet is returning," reports the blog OMG Ubuntu: The [10.1-inch e-ink display] PineNote was announced in 2021, building on the success of its non-SBC devices like the PinePhone (and later Pro model), the PineTab, and PineBook devices. Like most of Pine64's devices, software support is largely tackled by the community. But only a small batch of developer units were ever sold, primarily by enthusiasts within the open-source community who had the knowledge and desire to work on getting a modern Linux OS to run on the hardware, and adapt to the e-ink display. That process has taken a while, as Pine64's community bloggers explain: "The PineNote was stuck in a chicken-and-egg situation because of the very high cost of manufacturing the device (ePaper screens are sadly still expensive), and so the risk of manufacturing units that then didn't have a working Linux OS and would not sell was huge." However, the proverbial egg has finally hatched. The PineNote now has a reliable Debian-based OS, developed by Maximilian Weigand. This is described as "not only a bare-bones capable OS but a genuinely daily-usable system that 'just works'" according to the Pine64 blog. ["This is excellent as it also moves the target audience from developers to every day users. You should be able to power on the device and drop into a working Gnome experience."] It is said to use the GNOME desktop plus a handful of extensions designed to ensure the UI adapts to working well with an e-ink display. Software pre-installed includes Xournal++ for note taking, Firefox for web browsing, and Foliate for reading ebooks, among others. [And it even runs Doom...] Existing PineNote owners can download the the new OS image, flash it to their device, and help test it... Touch and stylus input are major selling points of the PineNote, positioning it as a libre alternative to leading e-ink note-taking devices like the Remarkable 2, Onyx BOOX, and Amazon Scribe. "I do not (yet) have a launch date target," according to the blog post, "as behind-the-scenes the Pine Store team are still working on all things production." But the update also links to some blog posts about their free and open source smartwatch PineTime...

Read more of this story at Slashdot.

The British Post Office scandal "was first exposed by Computer Weekly in 2009, revealing the stories of seven subpostmasters and the problems they suffered due to Horizon accounting software," remembers Computer Weekly, "which led to the most widespread miscarriage of justice in British history." But now the Post Office "is investigating allegations that a senior executive instructed staff to destroy or conceal documents that could be of interest to the Post Office scandal public inquiry," Computer Weekly writes. A company employee acknowleged a report in an internal whistleblower program "regarding destroying or concealing material... allegations that a senior Post Office member of staff had instructed their team to destroy or conceal material of possible interest to the inquiry, and that the same individual had engaged in inappropriate behaviour." The shocking revelation echoes evidence from appeals against wrongful convictions in 2021. During the Court of Appeal trials it was revealed that a senior Post Office executive instructed employees to shred documents that undermined an insistence that its Horizon computer system was robust, amid claims that errors in the system caused unexplained accounting shortfalls.

Read more of this story at Slashdot.

"Scientists can't agree on the exact rate of expansion of the universe, dictated by the Hubble constant," a new article at Space.com reminds us: The rate can be measured starting from the local (and therefore recent) universe, then going farther back in time — or, it can be calculated starting from the distant (and therefore early) universe, then working your way up. The issue is both methods deliver values that don't agree with each other. This is where the James Web Space Telescope (JWST) comes in. Gravitationally lensed supernovas in the early cosmos the JWST is observing could provide a third way of measuring the rate, potentially helping resolve this "Hubble trouble." "The supernova was named 'supernova Hope' since it gives astronomers hope to better understand the universe's changing expansion rate," Brenda Frye, study team leader and a University of Arizona researcher, said in a NASA statement. This investigation of supernova Hope began when Frye and her global team of scientists found three curious points of light in a JWST image of a distant, densely packed cluster of galaxies. Those points of light in the image were not visible when the Hubble Space Telescope imaged the same cluster, known as PLCK G165.7+67.0 or, more simply, G165, back in 2015. "It all started with one question by the team: 'What are those three dots that weren't there before? Could that be a supernova?'" Frye said. The team noted a "high rate of star formation... more than 300 solar masses per year," according to NASA's statement: Dr. Frye: "Initial analyses confirmed that these dots corresponded to an exploding star, one with rare qualities. First, it's a Type Ia supernova, an explosion of a white dwarf star. This type of supernova is generally called a 'standard candle,' meaning that the supernova had a known intrinsic brightness. Second, it is gravitationally lensed. Gravitational lensing is important to this experiment. The lens, consisting of a cluster of galaxies that is situated between the supernova and us, bends the supernova's light into multiple images... To achieve three images, the light traveled along three different paths. Since each path had a different length, and light traveled at the same speed, the supernova was imaged in this Webb observation at three different times during its explosion... Trifold supernova images are special: The time delays, supernova distance, and gravitational lensing properties yield a value for the Hubble constant... The team reports the value for the Hubble constant as 75.4 kilometers per second per megaparsec, plus 8.1 or minus 5.5... This is only the second measurement of the Hubble constant by this method, and the first time using a standard candle. Their result? "The Hubble constant value matches other measurements in the local universe, and is somewhat in tension with values obtained when the universe was young."

Read more of this story at Slashdot.

An anonymous reader shared this report from Engadget: Three new theft protection features that Google announced earlier this year have reportedly started rolling out on Android. The tools — Theft Detection Lock, Offline Device Lock and Remote Lock — are aimed at giving users a way to quickly lock down their devices if they've been swiped, so thieves can't access any sensitive information. Android reporter Mishaal Rahman shared on social media that the first two tools had popped up on a Xiaomi 14T Pro, and said some Pixel users have started seeing Remote Lock. Theft Detection Lock is triggered by the literal act of snatching. The company said in May that the feature "uses Google AI to sense if someone snatches your phone from your hand and tries to run, bike or drive away." In such a scenario, it'll lock the phone's screen. The Android reporter summarized the other two locking features in a post on Reddit: Remote Lock "lets you remotely lock your phone using just your phone number in case you can't sign into Find My Device using your Google account password." Offline Device Lock "automatically locks your screen if a thief tries to keep your phone disconnected from the Internet for an extended period of time." "All three features entered beta in August, starting in Brazil. Google told me the final versions of these features would more widely roll out this year, and it seems the features have begun expanding."

Read more of this story at Slashdot.

He's the long-time Slashdot reader who installed Linux on a 1993 PC — and then installed a 1994 version of MS-DOS on a modern Thinkpad X13. (And somewhere along the way, he even built a ChatGPT client for DOS...) But in a new blog post, yeokm1 reveals "I recently built myself a PC," salvaging parts from a previous desktop system to bootstrap an upgrade. And "I decided to build one with the ability to still reach back into the past to run MS-DOS..." The result? A Ryzen 5 7600 and GeForce 4060 Ti system, but with a floppy drive, optical drive, Sound Blaster card, serial, parallel and PS/2 ports — that runs MS-DOS. The fact that a 30-year-old MS-DOS 6.22 can still work well enough on such a modern hardware is testament to the efforts made by the industry to ensure good x86 PC backward compatibility. AMD, Nvidia and Asus deserve to be commended on their efforts here. I'm also impressed that the modern Nvidia Geforce 4060 Ti still supports some legacy video BIOS modes to a usable level although this is not complete. I didn't document in this blog post but brief tests with other VESA modes and resolutions didn't work so well. I wonder how long more this amount of x86 PC backward-compatibility will continue to last though... It definitely feels like the end is near. Their blog post includes a video about their system. (And yes, it plays Doom.) But their ultimate goal is to use it to play modern games like Cyberpunk 2077 and Flight Simulator 2020 (as well as the upcoming Flight Simulator 2024) "at reasonably good settings and performance. (And also to experiment with light machine-learning workloads, do basic video editing, run virtual machines.) After successfully building their DOS-running system, they asked ChatGPT what it thought. Would the system's specs be powerful enough to handle the 30-year-old operation system? And ChatGPT confidently replied: "Neither the Ryzen 5 7600 nor the GeForce RTX 4060 Ti is designed to run DOS natively. DOS is an older operating system that was primarily used on x86 architecture from the late 20th century, and modern hardware like the Ryzen 5 7600 and GeForce RTX 4060 Ti are not compatible with DOS due to their 64-bit architecture and lack of necessary drivers to interface correctly with DOS, which relied on much older technology..." yeokm1's blog post concludes: "I think I just proved ChatGPT wrong :P"

Read more of this story at Slashdot.

An anonymous reader shared this report from Reuters: Brazil's Supreme Court said on Friday that lawyers representing social media platform X did not pay pending fines to the proper bank, postponing its decision on whether to allow the tech firm to resume services in Brazil. The payment of the fines, which X lawyers argued that the company had paid correctly, is the only outstanding measure demanded by the court in order to authorize X to operate again in Brazil... Earlier on Friday, X, owned by billionaire Elon Musk, filed a fresh request to have its services restored in Brazil, saying it had paid all pending fines. In response to the request, Supreme Court Justice Alexandre de Moraes requested the payment to be transferred to the right bank. He also determined that once fines are sorted out, Brazil's prosecutor general will give his opinion on the recent requests made by X's legal team in Brazil, which has been seeking to have the platform restored in the country. Following Moraes' decision on Friday, X lawyers again asked the court for authorization to resume operations in Brazil, denying that the company had paid the fines to the wrong account and saying they do not see the need for the prosecutor general to be consulted before the ban is lifted.

Read more of this story at Slashdot.

"China Telecom, one of the largest wireless carriers in mainland China, says that it has developed two large language models (LLMs) relying solely on domestically manufactured AI chips..." reports Tom's Hardware. "If the information is accurate, this is a crucial milestone in China's attempt at becoming independent of other countries for its semiconductor needs, especially as the U.S. is increasingly tightening and banning the supply of the latest, highest-end chips for Beijing in the U.S.-China chip war." Huawei, which has mostly been banned from the U.S. and other allied countries, is one of the leaders in China's local chip industry... If China Telecom's LLMs were indeed fully trained using Huawei chips alone, then this would be a massive success for Huawei and the Chinese government. The project's GitHub page "contains a hint about how China Telecom may have trained the model," reports the Register, "in a mention of compatibility with the 'Ascend Atlas 800T A2 training server' — a Huawei product listed as supporting the Kunpeng 920 7265 or Kunpeng 920 5250 processors, respectively running 64 cores at 3.0GHz and 48 cores at 2.6GHz. Huawei builds those processors using the Arm 8.2 architecture and bills them as produced with a 7nm process." The South China Morning Post says the unnamed model has 1 trillion parameters, according to China Telecom, while the TeleChat2t-115B model has over 100 billion parameters. Thanks to long-time Slashdot reader hackingbear for sharing the news.

Read more of this story at Slashdot.

"Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users." That's the title of a new report released this week by cybersecurity company Group-IB revealing the official Apple App Store and Google Play store offered apps that were actually one part of a larger fraud campaign. "To complete the scam, the victim is asked to fund their account... After a few seemingly successful trades, the victim is persuaded to invest more and more money. The account balance appears to grow rapidly. However, when the victim attempts to withdraw funds, they are unable to do so." Forbes reports: Group-IB determined that the frauds would begin with a period of social engineering reconnaissance and entrapment, during which the trust of the potential victim was gained through either a dating app, social media app or even a cold call. The attackers spent weeks on each target. Only when this "fattening up" process had reached a certain point would the fraudsters make their next move: recommending they download the trading app from the official App Store concerned. When it comes to the iOS app, which is the one that the report focussed on, Group-IB researchers said that the app remained on the App Store for several weeks before being removed, at which point the fraudsters switched to phishing websites to distribute both iOS and Android apps. The use of official app stores, albeit only fleetingly as Apple and Google removed the fake apps in due course, bestowed a sense of authenticity to the operation as people put trust in both the Apple and Google ecosystems to protect them from potentially dangerous apps. "The use of web-based applications further conceals the malicious activity," according to the researchers, "and makes detection more difficult." [A]fter the download is complete, the application cannot be launched immediately. The victim is then instructed by the cybercriminals to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent application becomes operational... Once a user registers with the fraudulent application, they are tricked into completing several steps. First, they are asked to upload identification documents, such as an ID card or passport. Next, the user is asked to provide personal information, followed by job-related details... The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL. In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets. We believe this approach was deliberate, since the first app was available in the official store, and the cybercriminals likely sought to minimise the risk of detection. As previously noted, the app posed as a tool for mathematical formulas, and including personal trading accounts within an iOS app would have raised immediate suspicion. The app (which only runs on mobile phones) first launches a fake activity with formulas and graphics, according to the researchers. "We assume that this condition must bypass Apple's checks before being published to the store. As we can see, this simple trick allows cybercriminals to upload their fraudulent application to the Apple Store." They argue their research "reinforces the need for continued review of app store submissions to prevent such scams from reaching unsuspecting victims". But it also highlights "the importance of vigilance and end-user education, even when dealing with seemingly trustworthy apps..." "Our investigation began with an analysis of Android applications at the request of our client. The client reported that a user had been tricked into installing the application as part of a stock investment scam. During our research, we uncovered a list of similar fraudulent applications, one of which was available on the Google Play Store. These apps were designed to display stock-related news and articles, giving them a false sense of legitimacy."

Read more of this story at Slashdot.